FEATURE DETECTION WITH NEURAL NETWORK CLASSIFICATION OF IMAGES REPRESENTATIONS OF TEMPORAL GRAPHS
A computer implemented method of feature detection in temporal graph data structures of events, the method including receiving a temporal series of graph data structures of events each including a plurality of nodes corresponding to events and edges connecting nodes corresponding to relationships between events; rendering each graph data structure in the series as an image representation of the graph data structure including a representation of nodes and edges in the graph being rendered reproducibly in a cartesian space based on attributes of the nodes and edges, so as to generate a temporal series of image representations ordered according to the temporal graph data structures; processing the series of image representations by a convolutional neural network to classify the image series so as to identify a feature in the image series, the convolutional neural network being trained by a supervised training method including a plurality of training example image series in which a subset of the training examples are classified as including the feature.
The present application is a National Phase entry of PCT Application No. PCT/EP2020/057531, filed Mar. 18, 2020, which claims priority from EP Patent Application No. 19164779.1, filed Mar. 23, 2019, each of which is hereby fully incorporated herein by reference.
TECHNICAL FIELDThe present disclosure relates to the detection of features in temporal series of graph data structures.
BACKGROUNDGraph data structures are commonly used to represent and model events in contexts such as, inter alia, computer networks, telecommunications, software, defense and security, bio-informatics and large-scale sensor networks such as sensors found in internet-of-things (IOT) environments. Graph representations of events can provide a useful basis for identifying occurrences warranting intervention. For example, a graph representation of network communication can be used to detect malicious activity in a network.
Typical automated graph analytical processes are resource intensive as a number of elements within a graph grows. Thus, for increased graph dimensionality including numbers of nodes and edges, a quantity of resource required for processing such graphs, such as computer processing, memory and bandwidth resource, can increase considerably. Such typical analytical processing can include, inter alia: graph walking; clustering; sub-graph analysis and classification methods. The problem is considerably compounded if graphs are generated over time as a temporal series of graphs modelling event occurrences in a system, whereby a number of graphs increases dramatically with a consequently dramatic increase in analytical computing resource.
Thus, there is a challenge in providing improved feature detection for graph data structures that alleviates the aforementioned challenges.
SUMMARYAccording to a first aspect of the present disclosure, there is a provided a computer implemented method of feature detection in temporal graph data structures of events, the method comprising: receiving a temporal series of graph data structures of events each including a plurality of nodes corresponding to events and edges connecting nodes corresponding to relationships between events; rendering each graph data structure in the series as an image representation of the graph data structure including a representation of nodes and edges in the graph being rendered reproducibly in a cartesian space based on attributes of the nodes and edges, so as to generate a temporal series of image representations ordered according to the temporal graph data structures; processing the series of image representations by a convolutional neural network to classify the image series so as to identify a feature in the image series, the convolutional neural network being trained by a supervised training method including a plurality of training example image series in which a subset of the training examples are classified as including the feature.
In some embodiments, rendering a graph reproducible in the cartesian space includes determining, for each of node and edge elements in the graph: a size of an indication of the element; a location in the space of the element; and visible attributes of the indication of the element in the space, so as to render the indication having the size, at the location and with the visible attributes.
In some embodiments, the visible attributes include one or more of: a greyscale; a color; and a brightness.
In some embodiments, the feature is an indication of a subgraph in the image series.
In some embodiments, the feature includes a particular change or series of changes to a subgraph over images in the temporally ordered image series.
In some embodiments, the events include network communication events for communication across a computer network, and wherein the feature is associated with malicious communication in the network.
In some embodiments, the identification of the feature in the image series indicates the existence of malicious communication in the network, and the method further comprises, responsive to the identification of the feature in the image series, deploying one or more of: network security protective measures; and network intrusion remediative measures in the computer network.
In some embodiments, the network security protective measures include one or more of: a network proxy; a firewall; an anti-malware facility; and a virus detection facility.
According to a second aspect of the present disclosure, there is a provided a computer system including a processor and memory storing computer program code for performing the method set out above.
According to a third aspect of the present disclosure, there is a provided a computer system including a processor and memory storing computer program code for performing the method set out above.
Embodiments of the present disclosure will now be described, by way of example only, with reference to the accompanying drawings, in which:
The feature of interest 208 as depicted in
The training example image series 206 is generated from training example series of graph data structures. Each image in the image series 206 is rendered based on a graph data structure such that the image represents the graph data structure rendered in a cartesian space as a 2-dimensional or 3-dimensional space. In particular, the rendering of elements of a graph data structure (including nodes and edges) is such that each rendering is preferably reproducible in a cartesian space of the same properties such that images are directly comparable. For example, the algorithm for rendering each image of a graph data structure is common to all rendered images such that each image is reproduced by the algorithm should the image be rendered multiple times. Furthermore, the rendering of elements of a graph data structure in an image representation is based on attributes of nodes and edges in the graph data structure, such as attributes associated with nodes in dependence on the events that the nodes represent, and attributes of edges such as weights or the like. For example, rendering a graph reproducible in a cartesian space can include determining, for each of node and edge elements in the graph: a size of an indication of the element; a location in the space of the element; and visible attributes of the indication of the element in the space, so as to render the indication having the size, at the location and with the visible attributes. Such visible attributes include one or more of: a greyscale; a color; and a brightness.
In this way a temporal sequence of image representations will exhibit changes within the images consistent with changes in a corresponding temporal sequence of graph data structures on which basis the images are generated.
The trained CNN 204 is utilized by a feature detector 200 to detect occurrences of the feature of interest 208 within image representations of temporal graph data structures 202. In this way, detection of a feature—and the attributes of interest of a system for which the feature was generated—within such a visual representation of graph data structures 202 are indicative of existence of such attributes of interest within a system from which the graph data structures 202 were generated.
The feature detector 200 initially renders each of the graph data structures in the temporal sequence of graphs 202 as an image representation 210. As previously described with respect to training images, the image representations 210 are rendered reproducibly in a cartesian space based on attributes of nodes and edges in the graph data structures 202. The rendered image representations 210 are constituted as a series of images ordered temporally according to an order of the temporal series of graph data structures 202.
Subsequently, the feature detector 200 processes the series of image representations 210 of the graph data structures 202 by the CNN 204 so as to detect occurrences of the feature of interest 208 within the images 210. Once detected, the feature of interest 208 and the characteristics of a system of events that it represents can be used to trigger responsive actions in the system.
Notably, the use of a temporal series of images 210 based on temporal series of graph data structures 202 provides for the detection of features across multiple images such as could be achieved for a video or animation based on a series of images. Thus, in one embodiment, the CNN 206 is trained to detect features of interest in a video or animation consisting of multiple frames each constituted by a visual representation of a graph data structure. Thus, the feature of interest 208 can include a particular change or series of changes to one or more subgraphs over multiple images in the temporally ordered image series 210.
An embodiment of the disclosure will now be considered in the field of computer network communication in which each of the training series of images 206 is a visual representation of a graph data structure of networking events occurring within a computer network. For example, such networking events can include: network traffic source, destination and volume; intrusion detection events; security events; or other network events as will be apparent to those skilled in the art. In particular, in the illustrative embodiment, the feature of interest 208 is a learned feature of a visual representation of a graph data structure indicative of (by being associated with) malicious communication in the network.
Accordingly, in the illustrative embodiment, the graph data structures 202 constitute network event graphs that are rendered as visual representations 210 to detect occurrences of the feature of interest 208 therein by the CNN 204. Notably, as depicted in
Insofar as embodiments of the disclosure described are implementable, at least in part, using a software-controlled programmable processing device, such as a microprocessor, digital signal processor or other processing device, data processing apparatus or system, it will be appreciated that a computer program for configuring a programmable device, apparatus or system to implement the foregoing described methods is envisaged as an aspect of the present disclosure. The computer program may be embodied as source code or undergo compilation for implementation on a processing device, apparatus or system or may be embodied as object code, for example.
Suitably, the computer program is stored on a carrier medium in machine or device readable form, for example in solid-state memory, magnetic memory such as disk or tape, optically or magneto-optically readable memory such as compact disk or digital versatile disk etc., and the processing device utilizes the program or a part thereof to configure it for operation. The computer program may be supplied from a remote source embodied in a communications medium such as an electronic signal, radio frequency carrier wave or optical carrier wave. Such carrier media are also envisaged as aspects of the present disclosure.
It will be understood by those skilled in the art that, although the present disclosure has been described in relation to the above described example embodiments, the invention is not limited thereto and that there are many possible variations and modifications which fall within the scope of the claims.
The scope of the present claims includes any novel features or combination of features disclosed herein. The applicant hereby gives notice that new claims may be formulated to such features or combination of features during prosecution of this application or of any such further applications derived therefrom. In particular, with reference to the appended claims, features from dependent claims may be combined with those of the independent claims and features from respective independent claims may be combined in any appropriate manner and not merely in the specific combinations enumerated in the claims.
Claims
1. A computer implemented method of feature detection in temporal graph data structures of events, the method comprising:
- receiving a temporal series of graph data structures of events each including a plurality of nodes corresponding to events and edges connecting the nodes corresponding to relationships between events;
- rendering each graph data structure in the temporal series as an image representation of the graph data structure including a representation of the nodes and the edges in the graph data structure being rendered reproducibly in a cartesian space based on attributes of the nodes and the edges, so as to generate a temporal series of image representations ordered according to the temporal graph data structures; and
- processing the temporal series of image representations by a convolutional neural network to classify the temporal series of image representations so as to identify a feature in the temporal series of image representations, the convolutional neural network being trained by a supervised training method including a plurality of training example image series in which a subset of the plurality of training example image series are classified as including the feature.
2. The method of claim 1, wherein rendering a graph data structure reproducible in the cartesian space includes determining, for each of the nodes and the edges in the graph data structure: a size of an indication of the node and the edge; a location in the cartesian space of the node and the edge; and visible attributes of the indication of the node and the edge in the cartesian space, so as to render the indication having the size, at the location and with the visible attributes.
3. The method of claim 2, wherein the visible attributes include one or more of: a greyscale; a color; and a brightness.
4. The method of claim 1 wherein the feature is an indication of a subgraph in the temporal series of image representations.
5. The method of claim 1 wherein the feature includes a particular change or a series of changes to a subgraph over images in the temporal series of image representations.
6. The method of claim 1 wherein the events include network communication events for communication across a computer network, and wherein the feature is associated with malicious communication in the computer network.
7. The method of claim 6, wherein identification of the feature in the temporal series of image representations indicates existence of the malicious communication in the computer network, and the method further comprises, responsive to the identification of the feature in the temporal series of image representations, deploying one or more of network security protective measures or network intrusion remediative measures in the computer network.
8. The method of claim 7, wherein the network security protective measures include one or more of: a network proxy; a firewall; an anti-malware facility; or a virus detection facility.
9. A computer system comprising:
- a processor and memory to carry out feature detection in temporal graph data structures of events by: receiving a temporal series of graph data structures of events each including a plurality of nodes corresponding to events and edges connecting the nodes corresponding to relationships between events; rendering each graph data structure in the temporal series as an image representation of the graph data structure including a representation of the nodes and the edges in the graph data structure being rendered reproducibly in a cartesian space based on attributes of the nodes and the edges, so as to generate a temporal series of image representations ordered according to the temporal graph data structures; and processing the temporal series of image representations by a convolutional neural network to classify the temporal series of image representations so as to identify a feature in the temporal series of image representations, the convolutional neural network being trained by a supervised training method including a plurality of training example image series in which a subset of the plurality of training example image series are classified as including the feature.
10. A non-transitory computer-readable storage medium storing a computer program element comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer to perform the method as claimed in claim 1.
Type: Application
Filed: Mar 18, 2020
Publication Date: Aug 11, 2022
Inventor: Robert HERCOCK (London)
Application Number: 17/593,626